Anton Aylward wrote:
On 07/07/2014 04:00 PM, Dirk Gently wrote:
A lot of organizations using Linux or Unix would come to a screeching halt if the default permissions for home directories were drwx------.
Please explain why. Please explain what business decisions lead to and justify that and why they exclude other approaches.
I ask this because I have run both development and operational sites where the user's individual home directories were so protected.
Well, then, you've never worked at the organizations I've been in.
If your justification is the need to share, then there are other, cleaner, better managed ways to do it, such as setting up project directories or using web based interfaces.
Or a user can put all of his personal stuff in a personal directory that he keeps locked down. MUCH simpler.
The usual objection to those lie with access control, but that is just indicative of people who either don't understand set theory/group theory or don't have 'idiot stick' admin tools that let them set up and manage groups. (This is where LDAP based administration can come in very useful.)
I'm very familiar with it. When I was in college, we were told explicitly to NOT allow our programming projects to be publicly readable (to prevent people from copying each other's homework, etc.). If 18-year old freshmen can handle it, then surely adults in the workplace can figure it out.
Of course many system implement some kind of RBAC (even if only in overlay).
It is a matter of how seriously your organization takes security. There is increasing pressure in this area.
There's security, and then there's setting up pointless walls which the employees will just bypass, destroying all of your grand security ideas.
While one can do wonderful things with the 1970s era UNIX groups and the basic 'ugo'/'rwx' it is still limited for the modern world with thousands of users and hundreds of 'domains'. At least RBAC drags Linux 'kicking and screaming' into the 1990s (which is when RBAC was first developed).
When you cross a domain, you're going outside of not only the tightly knit group, you're typically going across organizational lines, too (like Engineering and Accounting).
Go google and find things like
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/htm...
http://cs.wellesley.edu/~cs342/fall10/papers/asolomon-thesis.pdf
As I say, it boils down to how seriously your organization takes security.
Not every organization is the Department of Defense. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org